Cnet Source Claims U.S. Government Trying to Obtain Keys to Encrypted Web Sessions from Companies

The U.S. government has attempted to obtain the master encryption keys that Internet companies use to shield millions of users’ private Web communications from eavesdropping.

These demands for master encryption keys, which have not been disclosed previously, represent a technological escalation in the clandestine methods that the FBI and the National Security Agency employ when conducting electronic surveillance against Internet users.

If the government obtains a company’s master encryption key, agents could decrypt the contents of communications intercepted through a wiretap or by invoking the potent surveillance authorities of the Foreign Intelligence Surveillance Act. Web encryption — which often appears in a browser with a HTTPS lock icon when enabled — uses a technique called SSL, or Secure Sockets Layer.

“The government is definitely demanding SSL keys from providers,” said one person who has responded to government attempts to obtain encryption keys. The source spoke with CNET on condition of anonymity.

The person said that large Internet companies have resisted the requests on the grounds that they go beyond what the law permits, but voiced concern that smaller companies without well-staffed legal departments might be less willing to put up a fight. “I believe the government is beating up on the little guys,” the person said. “The government’s view is that anything we can think of, we can compel you to do.”